6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe
Size

338KB
MD5

1ee227ec277bbf25bf8657dc0379eb8e
SHA1

afc9a4fe432148cc5113357d7ba845f5dcec4aad
SHA256

6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb
SHA512

7708f75ff5ac684c8a885eb4397d96e6af0084fd9ff9748eef3c9468669b6d1c86679bcba834c134e814b46b989508a373c9ff74595f5e1cd0b88887d2209efb
SSDEEP

6144:TxDf9Q//uNLa8UBanwMhumZGiANdNDKFiIeWyb1JoRtz6D:0/uManFhumZIpdJW+gtOD

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4484	drfgruezwu.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1332	4484	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	drfgruezwu.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 4484	632	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe	82
PID 632 wrote to memory of 4484	632	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe	82
PID 632 wrote to memory of 4484	632	6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe	82
PID 4484 wrote to memory of 2164	4484	drfgruezwu.exe	83
PID 4484 wrote to memory of 2164	4484	drfgruezwu.exe	83
PID 4484 wrote to memory of 2164	4484	drfgruezwu.exe	83

C:\Users\Admin\AppData\Local\Temp\6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe
"C:\Users\Admin\AppData\Local\Temp\6a320de21bbba1a93f56eee513ec18a594ac1caa754c9ce946863022bbf62ceb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:632
- C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe
  C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe C:\Users\Admin\AppData\Local\Temp\flhuvaanr
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe
    C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe C:\Users\Admin\AppData\Local\Temp\flhuvaanr
    3⤵
    PID:2164
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4484 -s 516
    3⤵
    - Program crash
    PID:1332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4484 -ip 4484
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\drfgruezwu.exe

Filesize
235KB

MD5
ce84e0de135e04f77cadb28f8c216367

SHA1
fa583c32020b084e748bf263d120fcfe4ccc324f

SHA256
4a5824da0a6b328ddcf55a46e71ae5648c3c2fb3ce8e39add28de82c3e97ef5b

SHA512
47e14f190c782dc703468d4751b39865f3274de2b9cd35652d906e07c3f7da1014173284b14be8041d1ab9eeca0dd878ce290d9342b057b85d2cf4dd1cc72071

Download Submit
C:\Users\Admin\AppData\Local\Temp\flhuvaanr

Filesize
4KB

MD5
f04e7716091d2389032541ba8eeb87de

SHA1
8bec3857fda9bbb8f98182f728bbd054967679cf

SHA256
649cee55f8b6d06eacb6c7f3fd98a153873c66230bc1b17c8789fd8fa3ca0d40

SHA512
80bc5d21a755af9571462fc7e04e4f51d0515dd658bf001d3eae2922fca54423fb5f27d5da73bcedd4b7a6624ffadc18810270ed641e0f47160b02bde18c2417

Download Submit
C:\Users\Admin\AppData\Local\Temp\x6x2dqsyxlhw6i7v7rx

Filesize
211KB

MD5
f7b34417e6147b112144d1d9b50a0c2c

SHA1
1f089694334f36d7c29e89350294862e0d8043a7

SHA256
f956110ead3550c2d01cd7796c82d1e31de04513e29db33937ef0dea4358c2d0

SHA512
f53c9b1ad6abd969fcc2d55c67f961fb973f65b479c1c3d0ace139fc205f3d29bac1beb3f92fa9e6b3cbcba788eaef3a42f2989d8dbb3c7ffaa0cc6610a43731

Download Submit
memory/4484-8-0x00000000004D0000-0x00000000004D2000-memory.dmp

Filesize
8KB

Download